OpenVPN Support Forum

We just setup an OpenVPN Access server on AWS using the prebuilt AMI. We are using the unlicensed version and installed all the updates.

The problem is that when i connect to the VPN using the OpenVPN Connect app, I am unable to access the internet. The VPN looks like it's connected, both in the client (or in the browser) and on the server. But I have no access to the internet.

I cannot ping the default gateway for the VPN, so I'm not even sure that I have a good connection or if ping is just turned off. I cannot go to https://123.123.123.123/admin (the server admin page) - the page doesn't load, though I am an OpenVPN admin user.

On my machine, Windows Firewall is turned off. I did bypass the chrome warning about the insecure connection when using the browser to connect.

There is another Windows 7 user who is connecting successfully with no problems.

UPDATE: I can go to the admin page when I am not connected to the VPN. Looking at the log files, it appears that I am being authenticated successfully, but then when the VPN is established, I lose all connectivity. I cannot ping the VPN gateway, which should be possible according to the other Windows 7 user who has no problems.

It appears that there may be a problem with the TAP Adapter. Any recommendations for troubleshooting?

UPDATE 2: I can now access the internet... In the properties for my wireless adapter, I clicked on properties for TCP/IPv4, then clicked on Advanced, and then unchecked "Automatic metric" and gave the Interface metric a value of 15. This changed my route table so that the wireless card was given a higher priority than the TAP adapter.

I'm still trying to figure out how why I cannot ping the VPN gateway.

Try adding this line to Advanced VPN > Server config directives;

push "route-metric 1000"

And save settings and update running servers. Undo the change you made to your wifi interface and try connecting and see what happens.

UPDATE - SOLVED

All I needed to do was lower the metric of my LAN adapter as I specified in UPDATE 2. I verified that nobody can ping the VPN gateway, but once connected, I can ping other IP addresses for the users who are also connected. To do this, I made a change to the user permissions - "Allow access from" - all other VPN clients. I just changed that for testing.

@novaflash - I tried your suggestion and that works... thanks! (PS, at first I didn't realize I had to restart the server)

It only works for the server config directives, and it will force the routes pushed by the server into a much higher route metric, which should result in a similar situation to lower the metric on your network interface. The difference will be visible in route print output on command line.

Thanks... I didn't see the button at the top of the page to restart after I made the change. I restarted and it worked... I can see the TAP adapter has a much higher metric now.

Good. Now manually adjusting your route metric on your adapters should no longer be necessary.

Thank you very much!